Study finds phishing more successful when hacker personalizes the message

Hackers use any means necessary to get the information they're after.
A new study confirms that hackers have a better success rate if they include personal information in phishing emails. 

Share This Post

Phishing is nasty business. It's been around for years because it's incredibly effective without requiring a whole lot of effort on the side of the hacker, a dangerous combination in an age of heavy reliance on digital data. What's more, this scam's age has allowed cybercriminals the ability to refine their techniques, narrowing down on what works and exploiting common weaknesses. 

To help mitigate these attacks, researchers from the Friedrich-Alexander University of Erlangen-Nuremberg in Germany set up a study on the effects of different phishing techniques. Headed by the computer science department's chair, Dr. Zinaida Benenson, this report could help organizations lower their exposure. 

People feel comfortable when they see their name

This FAU study, upon which Benenson gave a speech at the Black Hat hacker conference, sent out phishing emails and Facebook messages to students on the university's campus. These messages had links about "last week's party" that were to simulate malware, although the researchers only directed students to an "access denied" page. 

One group was sent messages that didn't use first names, and only 20 percent of email recipients ended up clicking the link. However, when emails were sent to another group that actually contained the recipient's name, 56 percent clicked on the link. What's really interesting here is that 78 percent of the respondents stated that they knew clicking a link from an unknown source "can have bad consequences," and yet a good amount of participants continued to do so. 

"People can be lulled into a false sense of security simply by using their first name."

Basically, all of this shows that people can be lulled into a false sense of security simply by using their first name. This doesn't even delve into spear phishing, where hackers research a target immensely in order to create an email littered with personal information. A simple first-name reference, something anyone could find online, is apparently enough to more than double the click rate. 

The topic of the email is important, too

A crucial piece of information in the FAU study is the fact that these emails were about an unnamed party from the previous week. College students are known for their often raucous behavior, and a good portion of this group would want to see pictures from a fun event. Although the study itself didn't delve into other topics, it certainly isn't illogical to assume that the click rate would go down if the email had to do with a boring topic that few students would care about. CSO contributor Ira Winkler discussed this in an article on phishing awareness

"Then there is the fact that just because a user does not click on one phishing message, it doesn't mean they will not click on others," said Winkler. "Some people might not click on cat videos, while they would click on a shipping message."

This is a major point to consider, because it should force company leaders to think about what kinds of links their employees see on a regular basis. A hacker with access to an employee's account is going to notice if an organization relies on emails to send financial reports, and would therefore hide malware in a similar-looking link. 

Hackers rely on eye-catching topics. Email topics are especially important for hackers to catch their victim's attention.

How can you lower the risk of a breach?

The first step here is to educate users on the risks they face. People shouldn't be surprised to see personal information contained in an email from an unknown source if they have an extensive presence on social media. Of course, banning employees from these sites altogether is impossible and immoral, but workers should still know they can't trust a link in a message just because the sender knows their name. 

Finally, you'll need to understand your company's multiple attack vectors. Again, if you're relying on email, a hacker is going to see that as a way to exploit your employees. Your workers need to avoid phishing emails every single time, but a cybercriminal only needs to get lucky once. Therefore, many organizations would benefit from a robust Fax-over-IP solution. 

FoIP technology basically allows you to leverage the speed and convenience of email while also avoiding attacks such as phishing. It's an incredibly secure means of communication that can help ensure the security of your company's data. 

Enhance enterprise communication, collaboration and compliance efforts with a proven FoIP solution from FaxCore. Contact FaxCore today to learn more about their 'Partly-Cloudy' fax server software & solutions.

More To Explore

Ready to Take a test Drive?

Book your free demo today: